The Department of Justice (DOJ) Victim Notification System (VNS) is an automated system used by federal personnel to notify federal crime victims regarding developments in their cases, including information about the status of the investigation, prosecution, trial, incarceration, location, and custody status of the offender related to the crime.

The VNS came online in October 2001 and as of October 5, 2007, contained information on more than 1.5 million registered victims. The annual budget for the VNS has remained at approximately $5 million since fiscal year (FY) 2002.1 Since work began on creating the system in FY 1998, the VNS has cost a total of more than $38 million. The VNS is managed by the Executive Office for United States Attorneys (EOUSA) and is used by all United States Attorneys Offices (USAO), the DOJ Criminal Division, the Federal Bureau of Investigation (FBI), the Federal Bureau of Prisons (BOP), and the United States Postal Inspection Service (USPIS).

In this audit, the Office of the Inspector General (OIG) examined the management of the VNS, the effectiveness of the VNS for victims, and the information security of the system. In conducting this audit, we interviewed personnel who managed the system, as well as personnel from agencies directly involved with the VNS. We analyzed victim-related data in the VNS and sent surveys to a sample of victims in the VNS. We also worked with a contractor to perform a review of the VNS’s information security. In general, our audit covered the period from FY 1998 through FY 2007.

Results in Brief

Our audit found that, overall, federal VNS users and victims we surveyed were generally satisfied with VNS services.2 However, we identified weaknesses in certain areas. Specifically, we found that there are few internal controls in place to ensure the accuracy and completeness of data in the VNS. For example, 18 percent of the surveys we mailed to victims considered to be active in the VNS were returned as undeliverable.3 Officials from VNS‑participating agencies also discussed with us similar problems they have encountered with undeliverable correspondence.

We also determined that EOUSA has no schedule or written plans for: (1) increasing storage space on the VNS server, despite capacity having reached a level where system performance has been affected; (2) replacing VNS hardware, which is reaching the end of its usefulness; or (3) providing for the continuity of VNS project management, which is currently concentrated in a single position.

We also found that EOUSA is now in the process of expanding the number of agencies that participate in the VNS, although it had not previously placed a priority on such expansion. In addition, EOUSA is working on establishing a direct connection for the VNS to obtain court-event data from the Administrative Office of the U.S. Courts (AOUSC). When developed, this interface will assist USAOs with notification of court proceedings.

As a result of victims’ responses to our surveys indicating that they considered the custody status of defendants to be of high importance, EOUSA is now working to include such information, available from the United States Marshals Service (USMS), in the VNS.

Our review of VNS effectiveness revealed that many victim-respondents to our survey: (1) found VNS notifications to be generally understandable and useful, (2) obtained the information they desired from the VNS Call Center, and (3) found the VNS website generally easy to use.4 However, 25 percent of active VNS victims who responded to our survey reported having no knowledge of the VNS or that their names were maintained in such a system. The fact that a significant number of federal crime victims were unaware of the system was of concern to us. Another concern we identified is that the contractor that maintains the VNS Call Center was not ensuring that a Spanish-speaking operator was on duty during all hours of operation, as required by the contract.

We also found that a large percentage of victims had been removed from an active status in the VNS with no reason having been recorded for doing so. Removing a victim from “active” status means that he or she no longer receives notifications about case-related events. That VNS does not require a participating agency to note a reason for “deactivating” a victim, or establish any other internal control, renders this critical step more difficult to correct if in error.

In addition to the management and effectiveness of the system, we also evaluated the information security of the VNS. Using a private auditing firm, we identified deficiencies with EOUSA’s implementation of systems and communications protection controls, identification and authentication, website privacy, security measures, and web application controls. These deficiencies indicate that the sensitive information contained within the VNS was not adequately protected against loss of confidentiality and the integrity and availability of data was not appropriately ensured.

Our report contains detailed information on the full results of our review of the VNS. In this report, we made 19 recommendations to help EOUSA carry out its responsibilities in managing the system.

The remaining sections of this Executive Summary describe in more detail the background of the VNS and our audit findings.

Background

The Victim and Witness Protection Act of 1982, the Victims of Crime Act of 1984, the Crime Control Act of 1990, the Violent Crime Control and Law Enforcement Act of 1994, the Justice for All Act of 2004, and the Attorney General’s (AG) Guidelines for Victim and Witness Assistance established various procedures to address the needs of victims of crime.5 Each of these contain a directive to ensure that victims are notified of significant stages and procedural developments in the criminal justice process. Notification means keeping victims aware of the status of an investigation of a crime, as well as the subsequent prosecution, trial, incarceration, location, and custody status of the offender related to the crime.

Prompted by a memorandum issued by the Office of the Attorney General, in July 2000 EOUSA entered into a contract with AT&T to create the VNS and establish and staff a Call Center to assist federal and victim users of the VNS. Utilizing funds provided by DOJ’s Office for Victims of Crime (OVC), EOUSA managed the development of the system. Field deployment of the VNS and Call Center operations began in October 2001, and the VNS was fully operational by January 2002.

How the VNS Works

The VNS, a web-based application, receives data from automated case management systems at the FBI, USAOs, the DOJ Criminal Division, the USPIS, and the BOP. Specifically, the VNS receives downloads from the FBI’s Automated Case Support (ACS) system, the USPIS’s Inspection Service Integrated Information System (ISIIS), the USAO’s Legal Information Office Network System (LIONS), the DOJ Criminal Division’s Automated Case Tracking System II (ACTS II), and BOP’s SENTRY system. Data transferred from the various systems includes the case number; victim, defendant, and inmate information; court events; and custody status updates. Notably, some of the victim-related information that resides in the VNS is personally identifiable information (PII), such as the names, addresses, and, in some cases, social security numbers of victims of federal crimes.

Victims in the VNS are notified of case events by letter, e‑mail, facsimile, or telephone when a particular event in a case occurs, such as a scheduled court date or the release of a prisoner. Initially, the system consisted of the VNS, which federal VNS users access via a secure intranet connection, and the Call Center, which is used by both federal VNS users and victims of federal crimes. However, VNS services were enhanced in FY 2005 based on a DOJ request to enhance the VNS by enabling victims to access case information via the Internet. This resulted in the development of the Victim Internet System (VIS), which allows victims to have access to a subset of VNS data via the Internet. The VIS database server, in which the users’ encrypted information is stored, is located at the Justice Data Center.

The following graphic illustrates how the various component systems feed into the VNS, as well as how victim users of the system obtain case-related information.

INFORMATION FLOW IN THE VNS

[Image Not Available Electronically]

Source: VNS User Manual and the DOJ Criminal Division

Audit Approach

The Office of the Inspector General (OIG) assessed EOUSA’s management of the VNS, the effectiveness of the VNS for victims, and the information security of the system. The objectives of the audit were to determine if: (1) EOUSA has effectively managed the VNS, including overseeing the contractors, ensuring the accuracy of data in the system, and planning for the future; (2) the VNS is an effective tool for victims of crime; and (3) the VNS was properly secured to prevent unauthorized use, access, and data modification.

To accomplish our audit objectives, we conducted more than 40 interviews with personnel from agencies directly involved with the VNS. To help evaluate the VNS’s effectiveness for victims, as well as the accuracy of data in the system, we obtained and analyzed victim-related data extracted from the VNS. We then designed, deployed, and analyzed the results from surveys we sent to 2,762 victims whose status in the system was “active,” as well as 480 additional surveys sent to victims who were no longer “active” in the system. In addition, we obtained a test VNS victim-user account and performed our own evaluation of various VNS services.

We also spoke with headquarters officials from those federal agencies that do not directly participate in the VNS to determine their knowledge of the system and whether they have been contacted about direct participation in the VNS. We conducted fieldwork in Chicago and Lisle, Illinois; Lexington and Louisville, Kentucky; Kansas City and Leavenworth, Kansas; and Kansas City, Missouri, where we spoke with senior management and staff who utilized the VNS at the local USAO, BOP, USPIS, and FBI offices. We also performed a limited review of the contracted services that are provided and, in order to evaluate the VNS’s information security, utilized a private auditing firm to perform an information security review of the VNS.

In general, the scope of our audit covered the period from FY 1998 through FY 2007. Additional information about our audit scope and methodology is contained in Appendix I.

EOUSA Management of the VNS

Our audit determined that personnel from VNS-participating federal agencies, such as FBI Victim Specialists, were generally satisfied with services provided by the VNS. However, weaknesses remain in how calls to the VNS Call Center are tracked, the accuracy of data in the VNS, and the long-term plans for the future of the system.

Data Accuracy

We found that there are few internal controls in place to ensure the accuracy and completeness of data in the VNS. According to the VNS Project Manager, the accuracy of information in the VNS is largely dependent upon what was provided or entered originally by the participating agency, and there is no process for routinely checking the accuracy of victim files in the VNS. Yet, this means that victims whose contact information in the VNS is incorrect could be missing the opportunity to attend court events and be otherwise updated on the status of their case. EOUSA told us that it is the victim’s responsibility to update all contact information. Victims can update their information by various methods, such as via the VNS website or by contacting the USAO Victim-Witness Coordinator responsible for their case.

The lack of accurate contact information in the VNS was confirmed by our audit. Eighteen percent of the 2,762 victim surveys we mailed to victims active in the VNS were returned to us as undeliverable mail. We were also told by staff and officials from VNS‑participating agencies about problems they have encountered with undeliverable correspondence.

EOUSA officials acknowledged these issues, noted that they do not have the resources to follow up on initial notifications, and said that EOUSA was moving towards using the VNS website more than written notification letters. EOUSA officials also acknowledged that returned e-mail notifications was an emerging issue, and that they were in the process of establishing a protocol for identifying and getting information about undeliverable e‑mail to participating agencies for action. Regardless of notification method, we believe that EOUSA should work with VNS-participating agencies to ensure that contact information in the VNS is as accurate as possible so that, at the very least, each victim receives an initial notification.

Archiving Data and Replacing Hardware

According to contractor personnel, as well as EOUSA’s FY 2007 budget request, storage space on the VNS server has been filled to almost 80 percent of capacity. This has limited the speed at which data can be accessed and has become a bottleneck in the system. Additionally, much of the VNS’s equipment is coming to the end of its useful life span and is in need of replacement. Although the VNS contract requires the contractor to archive VNS data periodically based on specific criteria, no VNS records have ever been archived and there are no current plans in place to do so.

During our audit, we discussed these issues with EOUSA and, in August 2007, EOUSA officials informed us that they plan to replace the existing equipment with new equipment that will resolve the capacity issue and the need to archive or remove data from being accessible online.

Outreach to Other Federal Agencies

In addition to all USAOs, only the FBI, the USPIS, the BOP, and the DOJ Criminal Division connect directly to the VNS. However, all investigative agencies are mandated to perform victim notifications during the investigative phase. Therefore, those federal investigative agencies who do not participate in the VNS, such as the United States Secret Service (USSS) and the Internal Revenue Service (IRS), must provide victims information during the investigative phase of a case on their own. Once they submit cases to a USAO, however, the USAO then “takes over” the notification process via an upload of information to the VNS.

EOUSA officials stated that their outreach efforts have been focused on those agencies whose cases involve the most victims. As shown in the following graphic, the FBI and the USPIS, by far, have the most (79 percent) victims in the VNS.

Source: OIG analysis of VNS data

In response to our discussions regarding other agencies that could possibly connect with the VNS, EOUSA officials advised us of their plans to create a universal, web-based interface with the VNS that could be utilized by all investigative agencies. We believe that this interface would be a useful step towards consolidating victim notifications throughout the federal government.

In addition to information about the investigative phase of a case, the VNS also provides notifications of court events, such as a competency hearing being held or a guilty plea being entered.6 However, data related to court events is maintained by the Administrative Office of the U.S. Courts (AOUSC). In order for this data to make it into the VNS, it must first be obtained from the AOUSC and then manually entered into the USAO case management system by personnel at individual USAO offices. It is then uploaded from the USAO case management system to the VNS. During the course of our audit, EOUSA officials informed us of a plan to create an interface by which AOUSC data could be electronically passed to the VNS, thereby eliminating the time-consuming data‑entry process, with its propensity for human input error.

In August 2007, EOUSA officials provided us with a copy of a signed Memorandum of Agreement (MOA) between EOUSA and the AOUSC to develop an interface between the two systems, and noted that the agencies are working together to connect the systems.

VNS Project Management and Succession Planning

Since its inception, the VNS has been managed by a single project manager, an Assistant United States Attorney based in Kansas City, Kansas. EOUSA has no formalized succession plan to continue management of the VNS should anything happen to key personnel. After discussing this issue with EOUSA, EOUSA officials informed us that they are developing a succession plan that will address any contingency issues for VNS project management.

VNS Effectiveness

To gauge the effectiveness of the VNS in notifying victims of certain key events, we interviewed federal VNS users and Call Center personnel, used a VNS test user account to assess VNS services from a victim’s perspective, and conducted a survey of victims considered to be active in the VNS, as well as a survey of victims who had been “opted-out” (deactivated) of the VNS.

For our survey of those victims active in the VNS, we mailed out 2,783 surveys and received 691 responses. We reviewed these responses and determined that 531 of the 691 responses we received were valid and could be used for additional analysis. For our survey of those victims who had been “opted out” of the VNS, we mailed out 489 surveys, received 58 responses, and determined that 44 of these responses could be used for further analysis.7

Overall, we found that many active victim survey respondents found the notifications to be understandable and useful to some degree. However, we identified areas in which we believe EOUSA could improve the services the VNS provides to victims.

Victim Notifications

Twenty-five percent of the active victim respondents to our survey indicated that they did not know about the VNS or that they were included in the VNS as a victim, that they had no idea why they had received our survey, or that our survey was the first piece of correspondence they had received regarding the VNS. Moreover, according to the VNS data, these respondents had each been sent an average of 18 notifications, and the number of notifications sent to these victims ranged between 1 and 160.

These responses indicate that the VNS is not as effective as it could be at notifying victims of case events. A significant number of federal crime victims have no knowledge of the system and are not receiving notifications from the VNS. In addition to the statutory requirement that victims be notified of events that occur in their cases, we believe it also important that EOUSA ensure that victims: (1) are aware that they qualify as victims of a federal crime, (2) are aware that their personal information is contained within the VNS, and (3) have been afforded the opportunity to decide whether they wish to receive notifications of events that occur within their cases.

We spoke with EOUSA officials about this issue, and they acknowledged that there is no formal follow-up process to ensure that victims receive notifications from the VNS. However, these officials expressed the belief that performing follow-up on letters would be overly burdensome on participating agency personnel and noted that EOUSA was moving towards using the VNS website more than written notification letters.

We believe that the purpose of the VNS is not always fulfilled by simply ensuring that notifications are sent out. Rather, we believe it is incumbent upon EOUSA to seek to ensure that as many victims as possible receive notifications. We recommend that the EOUSA work with VNS-participating agencies to develop procedures for ensuring victim contact information is current and undeliverable correspondence is pursued to help ensure victims receive case-related notifications from the VNS.

The Victim Internet System

The Victim Internet System (VIS) is a web-based application that allows victims to have access to a subset of VNS data related to their case via the Internet. We evaluated VIS services using a test victim account and included questions about the VIS in our survey of victims active in the VNS.

Accessing the VIS

In response to our survey, only 98 of the 531 victims who returned valid responses indicated that they accessed the VIS to review their case information.8 We believe that EOUSA should be concerned about this relatively low 18-percent usage rate, considering that EOUSA officials informed us on several occasions that they prefer that victims utilize the VIS to obtain case information and that they have attempted to encourage its use.

The majority of our respondents who indicated that they utilized the VIS found it at least somewhat easy to set up their VNS account. However, other respondents commented on difficulties with the process they encountered. Our own review of the VIS using our test victim account also identified certain aspects in the process that could be confusing for victims, including problems with terminology. We spoke with EOUSA officials about these issues, and they responded that they will work to explain VIS procedures in more detail for victims.

Ease of Navigation, Comprehension, and Usefulness

More than 80 percent of the survey respondents stated that navigating or locating information on the VIS was at least somewhat easy. Additionally, most respondents found the information on the VIS to be both comprehensive and useful.

Restitution

On several occasions during our audit, EOUSA officials told us that personnel who worked with victims were often asked questions related to restitution.9 We therefore included questions in our survey related to restitution information available on the VIS. We found that 40 percent of our respondents had accessed the VIS to obtain that information. Of those respondents, 57 percent were dissatisfied or extremely dissatisfied with the restitution information they received from the VIS. This analysis is shown in the following chart.

How satisfied were you with the restitution information you received?

Source: OIG survey of victims active in the VNS

Several provided additional comments about their dissatisfaction with the amount of restitution information available. We also used our test victim account to review restitution information provided in the VIS and found that t he language for restitution in the VIS was not clearly written.

We discussed with EOUSA officials the possibility of providing more restitution information to victims on the VIS. While these officials initially noted that providing this information to victims is not required, in August 2007 EOUSA officials stated that they will clarify the information regarding restitution that is provided to victims on the VIS.

The VNS Call Center

The VNS Call Center consists of an automated, toll-free telephone response system, as well as operators who can provide case information to victims. The automated system generates computerized voice readings of notifications, while operators are able to provide victims answers to a limited number of questions and direct them to points of contact for additional case‑related information. Call Center operators also provide information to federal VNS users.

We found that of the active victim survey respondents, 11 percent had called the toll‑free number. We then conducted separate analyses on those victims who had utilized the automated response and those who had utilized the operator assistance.10

Call Center Automated Assistance

In total, we found that 37 (65 percent) of the 57 victims using Call Center services utilized automated assistance. As shown in the following chart, when we analyzed responses from these 37 victims, we found that 15 (41 percent) never or rarely received information, while 12 (32 percent) always or often received information.

Did you receive the information you wanted
from the automated system?

Source: OIG survey of victims active in the VNS

As shown in the following chart, when we reviewed responses from these same 37 victims regarding the ease with which they were able to access information using the automated system, we found that most found the automated system at least somewhat easy to use.

How easy is it to access information through the automated system?

Source: OIG survey of victims active in the VNS

We also used our test victim account to evaluate the Call Center ’s automated assistance and identified some potentially confusing aspects, including uncertainty about what functions pressing certain buttons on the phone would accomplish. We also found that more case information was available to us on the VIS than via the automated assistance.

Overall, while the automated assistance appears to be relatively easy to use, it can prove challenging and does not always provide the desired information to victims, nor does it provide as much information as does the VIS. We believe it would be worthwhile for EOUSA to make the automated assistance more user‑friendly for victims.

Call Center Operator Assistance

As noted earlier, the Call Center’s operator assistance is able to provide victims only a limited amount of information. Specifically, according to Call Center staff, EOUSA has specified that Call Center operators can provide information on 10 case-specific areas. If victims require information outside of these areas, the Call Center staff tells them who to contact for further information.

Through our analyses, we found that 35 of the 59 victims who utilized Call Center services had utilized operator assistance. As shown in the chart that follows, when we analyzed the responses from these 35 victims, we determined that 16 of them always or often received the information they wanted from the live assistance.

Did you receive the information you wanted?
(from Live Call Center Assistance)

Source: OIG survey of victims active in the VNS

Despite this relatively positive response, 17 respondents who had utilized the assistance indicated that they were dissatisfied because: (1) the system lacked restitution information; (2) case or defendant custody information was not updated; and (3) the system did not contain, in general, enough information and assistance.

When we used our test victim account to evaluate the operator assistance, we identified several additional issues, such as the fact that a victim can only select to speak with a live operator at the beginning of a call. Specifically, if a caller does not immediately select that option (perhaps before the caller has received much information or had the time to develop questions), the caller must hang up, call back, and select to speak with a live operator at the outset of the call. We also found that the Call Center had only one Spanish-speaking operator on staff, who cannot cover every hour of every day the Call Center is in operation. This contradicts the VNS contract, which specifies that a victim must have the option of speaking directly with a Call Center operator to obtain case information in either English or Spanish.

We discussed these issues with EOUSA officials in June 2007. In August 2007, EOUSA officials informed us that they had notified the contractor of the requirement for a Spanish‑speaking operator to be on duty during all Call Center operating hours. As a result, according to EOUSA officials, the contractor is now planning to add another Spanish-speaking operator to the Call Center.

Availability of Custody Status Data

In our survey of victims active in the VNS, we found that respondents considered custody status information to be very important. As depicted in the following chart, more than 70 percent (375 out of 531) of respondents indicated that knowing the custody status of the defendant was important to them.

How important is it for you to know the custody status (incarcerated or not incarcerated) of the defendant(s)/inmate(s) in your case?

Source: OIG survey of victims active in the VNS

The Attorney General Guidelines for Victim and Witness Assistance mandate that DOJ agencies notify victims of the release or escape of an offender or suspected offender. However, USAOs do not consistently enter defendant custody status information into the VNS during the prosecutorial phase. In addition, although the USMS maintains custody status information on offenders, it is not connected to the VNS and had not been approached to do so.

We discussed these issues with EOUSA officials, who agreed that they had not taken action to include in the VNS information from the USMS on defendant custody status. In August 2007, EOUSA officials advised us that providing custody status information to victims would be a priority and that they were coordinating with the USMS about this issue.

Victims No Longer Active in the VNS

Certain victims have been removed from an active status, or “opted-out” of the system. A victim can choose to be opted-out of the VNS or be opted-out by a federal user because of an invalid address or if the person is no longer considered to be a victim. While the VNS contains a field that records the reason a victim is opted-out of the system, it is not mandatory that a federal user populate this field when opting out a victim.

We analyzed VNS data provided by EOUSA and found that 164,493 victims were opted-out of the system between the VNS’s inception in October 2001 and September 20, 2006. As depicted in the following table, when we further analyzed the data, we found that 32 percent of these victims had been opted-out with no reason given.

VICTIMS OPTED-OUT OF THE VNS
October 2001 to September 20, 2006

Opt-Out Reasons

Number of Registrants

Percentage

Contact Choice

4,144

3%

Invalid Address

79,597

48%

User Choice

28,486

17%

No Longer a Victim

17

<1%

No Reason Given

52,249

32%

Total

164,493

100%

Source: OIG analysis of VNS data

This large overall percentage of victims opted-out with no reason provided is troubling because there is no easy way to evaluate whether that victim was opted-out for a valid reason.

Survey of Opted-out Victims

As previously noted, in addition to our survey of victims active in the VNS, we also conducted a survey of opted-out victims. To maximize our response rate, we limited our universe to those victims opted-out of the VNS during the previous 2 full fiscal years prior to the survey, thus isolating 71,179 victims who were opted-out during FYs 2005 and 2006.

We developed a sample and sent our survey to 480 victims and received 58 responses, a relatively low 12-percent response rate. Overall, based on this relatively low overall response rate, including 203 surveys that were returned as undeliverable, our survey of opted-out victims did not provide clear evidence about why victims opt-out of the system.

VNS Information Security

During the course of our audit, we determined several attempted electronic break-ins to the VNS had occurred and that some recommended security patches for the system had not been installed because the patches had not been approved by EOUSA. After discussing these issues with EOUSA officials, we determined that the sensitive nature of the personally identifiable information (or PII) in the VNS – such as names, contact information, and social security numbers – as well as the possible consequences of failing to adequately protect it, warranted a more in-depth review of the VNS’s information security. Therefore, the OIG contracted with outside auditors, Urbach, Kahn, & Werlin, LLP (UKW), to conduct an independent assessment to determine whether the VNS information security and privacy policies comply with government standards and established best practices.11

As a result of this assessment, we identified deficiencies with EOUSA’s implementation of systems and communications protection controls, identification and authentication, website privacy, security measures, and web application controls. These deficiencies indicate that the sensitive information contained within the VNS was not adequately protected against loss of confidentiality and the integrity and availability of data was not appropriately ensured. Moreover, because of these issues the VNS may be susceptible to unauthorized use, access, or data modification.

Systems and Communications Protection Controls

Systems and communications protection controls prevent unauthorized and unintended information transfer between different elements within the same system. We identified weaknesses in transmission integrity and data validation.

Transmission integrity and data validation are used to check the completeness and accuracy of data entered into a system. We reviewed these controls for agencies that transmit data into the system and found that while EOUSA is encrypting data received from the USAOs, the DOJ Criminal Division, and the USPIS, it is not doing so for the FBI and the BOP. Additionally, EOUSA did not always ensure the completeness or accuracy of data files received from the BOP and the FBI. Because EOUSA is not performing these functions, it does not have the ability to detect or prevent the alteration of transmitted data. When we spoke with EOUSA officials about this issue, they acknowledged these deficiencies and said they were currently discussing the implementation of complete session encryption for BOP and FBI data.

Identification and Authentication

Identification and authentication controls ensure that users’ identities are verified before they can connect to the system. A system security plan, which is designed to provide an overview of the security requirements of the system and describe the controls in place, commonly contains this information for users. Moreover, these plans are necessary for certification, accreditation, and authorizing a system to operate. We found that the VNS system security plan contained inaccurate information and had not been updated with the correct procedural information, contact information, and process of authenticating users. This lack of an updated system security plan could result in an inaccurate or incomplete depiction of the VNS’s system security and control environment, meaning that the certification and accreditation document is being approved based upon out-of-date information.

Website Privacy

Website privacy controls protect data collection and PII and include external linking policies. These controls inform users when they are about to visit a third-party website so that users know that they will no longer be protected by the privacy policies of the current site once they utilize a hyperlink to navigate to another website. We reviewed the VIS’s external linking policies and found that the VIS does not provide such a disclaimer notification to users, meaning that victims who utilize the hyperlink may be unaware that differing privacy policies are in effect. DOJ policy specifies that a disclaimer statement informing users that they will no longer be protected by DOJ privacy policies must be provided.

VIS Web Application Controls Testing

Testing web application controls helps to identify vulnerabilities and risks that can result in the loss of confidentiality, integrity, and availability of data. We utilized commercially available software tools to evaluate the VIS’s web application security and identified the following vulnerabilities:

The VIS may allow manipulation within a web application, which can exploit security issues.

The configuration of the VIS allows for the possibility that users could bypass the entry of usernames and passwords of linked web pages. As a result, individuals could gain access to unauthorized information.

The application may be vulnerable to attacks that can allow malicious users to retrieve data or alter server settings.

The VNS server configuration allowed for access to common default directories, which often contain exploitable vulnerabilities.

The VNS uses a computer language, JavaScript, which has certain risks inherent to its use.

The VNS is susceptible to an attacker using web server software to access data in an unauthorized directory. Moreover, the execution of arbitrary commands and code by an attacker may be possible.

We consider the vulnerabilities found in the VIS web application controls to be significant because the system contains PII. We therefore recommend EOUSA take the necessary steps to improve its website security and eliminate these vulnerabilities.

The VNS Vulnerability Assessment

We also performed a vulnerability assessment to identify the security controls implemented for the VNS environment. We compared the VNS’s current security controls to DOJ’s standards and identified vulnerabilities within three areas.

Unnecessary or Vulnerable Service – We found unnecessary or vulnerable services operating on the VNS, which if not properly secured or disabled, could be exploited to launch attacks against the system’s infrastructure.

Patch Management – We found that EOUSA did not always apply application and server patches in a timely manner.12 Specifically, EOUSA had not applied several patches that had been available since 2002 and 2005, which, in essence, allowed a known vulnerability to continue to exist. This made the VNS susceptible to a disruption of its operations.

Network Device and Server Security – Due to EOUSA’s management of the VNS’s device settings and configurations, t he VNS may be susceptible to unauthorized use, access, or data modification of system configuration and password files.

Conclusion

Since VNS began in FY 2002, it has grown to contain information on more than 1 million federal crime victims. While creating such a system that was designed to provide notifications to so many individuals is an impressive achievement, we found certain areas in which VNS operations could be improved.

In terms of EOUSA’s management of the VNS, we found that federal VNS users were generally satisfied with services provided by the VNS. However, weaknesses remain in the VNS Call Center’s automated and Call Center assistance, the accuracy of data in the VNS, and the long-term plans for the future of the system. While EOUSA has taken proactive steps to address some of these issues after we brought them to its attention, other issues remain, and we recommend that EOUSA address these issues in the same manner.

We attempted to gauge the effectiveness of the VNS in notifying victims by conducting surveys of both active victims and those who have been opted-out of the system, as well as by using a test victim account to evaluate Call Center and VIS services. Our survey of those victims active in the VNS indicated that many of them found notifications to be understandable and useful to some degree. However, we identified areas in which VNS-related services could be improved. Most notably, a quarter of our respondents indicated they did not know about the VNS or that they were included in the VNS as a victim, that they had no idea why they had received our survey, or that our survey was the first piece of correspondence they had received regarding the VNS. Additionally, although EOUSA encourages victims to use the VNS website, only a small percentage of our respondents utilized it to obtain information about their cases. As with management of the system, EOUSA has already begun to implement corrective action to address these issues, and we recommend that it continue to do so.

Our information security review of the VNS identified several areas of concern, including weaknesses in systems and communications protection controls, identification and authentication controls, and web application controls. We believe that it is important that EOUSA work to address these vulnerabilities since the VNS contains PII on over 1 million victims of federal crimes.

As noted, according to EOUSA, it has already begun to implement corrective action to address some of the weaknesses we have identified. Additionally, to further assist EOUSA in the improvement of the VNS, we make 19 recommendations for EOUSA to improve the VNS, such as developing an interface to connect all relevant federal agencies to the VNS, formalizing long-term plans for the system and its management, improving certain facets of Call Center services, ensuring that a reason must be recorded in order to opt-out a victim from the VNS, and addressing the vulnerabilities identified during the information security review of the VNS.

Footnotes

Detailed information about VNS funding can be found in Appendix III.

Federal VNS users, such as FBI Victim Specialists and USAO Victim/Witness Advocates, generally specialize in dealing with victims and victim issues and access the VNS to manage information that relates to cases in the control of their agency.

Victims who are considered to be “active” in the VNS are those victims whose information is in the VNS and who are receiving VNS notifications.

The VNS Call Center consists of an automated, toll-free telephone response system, as well as operators who can provide case information to victims.

Detailed information regarding this legislation can be found in Appendix II.

A complete list of VNS notifications can be found in Appendix IV.

A more detailed description of our survey methodology for our survey of victims active in the VNS can be found in Appendix VII. Our survey methodology for our survey of “opted-out” victims can be found in Appendix VIII.

We conducted all of our analyses related to the VIS on this universe of 98 respondents who indicated that they accessed the VIS to review case information.

According to information on the VIS, restitution is defined as a court order directing the defendant to pay a fixed amount of money to the victim in order to compensate the victim for loss incurred as a result of the crime.

As part of our analysis, we found that 15 victims had utilized both automated and live Call Center assistance. We included these 15 victims in our analyses of each of these types of assistance in order to capture all of the victims utilizing a particular type of assistance.

In this section of our report, “we” and “our” refer to the auditors working under the direction of the OIG.

Patches are developed by software manufacturers following the identification of exploitable system security weaknesses. Patch management is the process of controlling the deployment and maintenance of interim software releases into a system’s environment and is used to maintain operational efficiency and effectiveness, overcome security vulnerabilities, and maintain the stability of the system’s environment.